BS 10012:2017 and the GDPR

URM > Consultancy > BS 10012:2017 and the GDPR

BS 10012:2017 and the GDPR

BS 10012 is a British management system standard which has been developed to enable organisations to implement a personal information management system (PIMS). This provides a framework for maintaining and improving compliance with data protection legislation and good practice. The framework will help you to manage risks to the privacy of personal data and implement appropriate policies, procedures and controls. In March 2017, BSI updated this Standard in response to the introduction of the European Union General Data Protection Regulation (GDPR). Article 42 of the GDPR encourages the “establishment of data protection certification mechanisms…. for the purpose of demonstrating compliance with this Regulation of processing operations by controllers and processors.” This is exactly what BS 10012:2017 is intended to offer.

BS 10012:2017 follows the ‘Plan-Do-Check-Act’ continuous improvement model and is aligned to ISO Annex SL, adopted by all key management system standards, enabling organisations to integrate their PIMS with other standards, notably ISO/IEC 27001:2013. It is also a standard which organisations can now certify against.

Benefits of implementing BS 10012:2017

By implementing and certifying your PIMS against BS 10012:2017, you will be able to:

  • Demonstrate your commitment to protecting client and stakeholder personal data
  • Identify risks to personal information and implement controls to mitigate them
  • Use the management system as part of a privacy compliance framework to demonstrate compliance with the GDPR and the revised UK Data Protection Act
  • Benchmark and continually improve your management of personal data against recognised best practice
  • Protect your reputation and minimise adverse publicity
  • Gain competitive advantage when seeking and retaining business.

How do I achieve certification to BS 10012:2017

As stated above, BS 10012:2017 has been drafted using the rules specified for management system standards in the ISO Directives Annex SL and follows the common structure and core text as standards such as ISO/IEC 27001:2013 and ISO 9001:2015.

As one of UK’s leading implementers of ISO 27001 and with its wealth of data protection experience and expertise, URM is uniquely placed to assist you develop and implement a PIMS and achieve certification with BS 10012:2017. These services range from conducting a gap analysis (where one of URM’s consultants will assess your existing PIMS and compare it against the BS 10012 requirement) to full lifecycle services. URM also offers a readiness assessment service for those organisations seeking certification. With the full lifecycle implementation services, URM can assist you meeting requirements such as:

  • Understanding and documenting the context of the organisation (inc. determining the scope of the PIMS
  • Demonstrating leadership and commitment with respect to the PIMS (inc. establishing a PIMS policy)
  • Planning actions to address risks and opportunities (inc. defining a data inventory and data flow analysis process, a data protection impact assessment (DPIA) process and a risk treatment process)
  • Determining and providing the resources needed for the establishment, implementation, maintenance and continual improvement of the PIMS
  • Implementing the PIMS (inc. conducting risk assessments and ensuring the organisation meets the principles and requirements of the GDPR* e.g. to ensure that personal information is processed fairly and lawfully and in a transparent manner )
  • Evaluating the performance of the PIMS (inc. conducting internal audits and management reviews
  • Continually improving the PIMS (inc. implementing corrective and preventive actions).


*For more information on meeting the requirements of the GDPR, see Data Protection and the GDPR